Microsoft Sentinel SAP solution detailed SAP requirements (public preview)
Azure Sentinel is now called Microsoft Sentinel, and we’ll be updating these pages in the coming weeks. Learn more about recent Microsoft security enhancements.
The default procedure for deploying the Microsoft Sentinel SAP solution includes the required SAP change requests and SAP notes, and provides a built-in role with all required permissions.
This article lists the required SAP change requests, notes, and permissions in detail.
Use this article as a reference if you're an admin, or if you're deploying the SAP solution manually. This article is intended for advanced SAP users.
The Microsoft Sentinel SAP solution is currently in PREVIEW. The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
Additional requirements are listed if you're deploying your SAP data connector using a secure SNC connection. For more information, see Deploy the Microsoft Sentinel SAP data connector with SNC.
Recommended virtual machine sizing
The following table describes the recommended sizing for your virtual machine, depending on your intended usage:
|Minimum specification, such as for a lab environment||A Standard_B2s VM|
|Standard connector (default)||A DS2_v2 VM, with:
- 2 cores
- 8-GB memory
|Multiple connectors||A Standard_B4ms VM, with:
- 4 cores
- 16-GB memory
Required SAP log change requests
The following SAP log change requests are required for the SAP solution, depending on your SAP Basis version:
- SAP Basis versions 7.50 and higher, install NPLK900170
- For lower versions, install NPLK900169
- To create an SAP role with the required authorizations, for any supported SAP Basis version, install NPLK900163. For more information, see Configure your SAP system and Required ABAP authorizations.
The required SAP log change requests expose custom RFC FMs that are required for the connector, and do not change any standard or custom objects.
Required SAP notes
If you have an SAP Basis version of 7.50 or lower, install the following SAP notes:
|SAP BASIS versions||Required note|
|- 750 SP01 to SP12
- 751 SP01 to SP06
- 752 SP01 to SP03
|2641084: Standardized read access for the Security Audit log data|
|- 700 to 702
- 710 to 711, 730, 731, 740, and 750
|2173545: CD: CHANGEDOCUMENT_READ_ALL|
|- 700 to 702
- 710 to 711, 730, 731, and 740
- 750 to 752
|2502336: CD (Change Document): RSSCD100 - read only from archive, not from database|
Access the SAP notes from the SAP support Launchpad site.
Requires SAP ports access:
The SAP environment host, via the following TCP ports: 32xx, 5xx13, and 33xx, where xx is the SAP instance number.
Required ABAP authorizations
The following table lists the ABAP authorizations required for the backend SAP user to connect Microsoft Sentinel to the SAP logs. For more information, see Configure your SAP system.
Required authorizations are listed by log type. You only need the authorizations listed for the types of logs you plan to ingest into Microsoft Sentinel.
To create the role with all required authorizations, deploy the SAP change request NPLK900163 on your SAP system. This change request creates the /MSFTSEN/SENTINEL_CONNECTOR role, and you, typically a SAP Basis or role owner, must assign the role to the ABAP user connecting to Azure Sentinel.
|All RFC logs|
|ABAP Application Log|
|ABAP Change Documents Log|
|ABAP CR Log|
|ABAP DB Table Data Log|
|S_TABU_DIS||DICBERCLS||+ Any object required for logging|
|S_TABU_NAM||TABLE||+ Any object required for logging|
|ABAP Job Log|
|ABAP Job Log, ABAP Application Log|
|ABAP Security Audit Log - XAL|
|ABAP Security Audit Log - XAL, ABAP Job Log, ABAP Application Log|
|ABAP Security Audit Log - SAL|
|ABAP Spool Log, ABAP Spool Output Log|
|ABAP Workflow Log|
For more information, see:
- Deploy the Microsoft Sentinel solution for SAP
- Deploy the Microsoft Sentinel SAP data connector with SNC
- Expert configuration options, on-premises deployment, and SAPControl log sources
- Microsoft Sentinel SAP solution logs reference
- Microsoft Sentinel SAP solution: available security content
- Troubleshooting your Microsoft Sentinel SAP solution deployment